Endpoint Protection

SEP does not detect therefore cannot remove rogue XP 2010 AntiVirus (and variants) but MalwareBytes can.  I pay for SEP clients yet Malwarebytes is free. 
I can't help but imagine if I replaced my SEP client with a full (purchased) version of MBytes that I could avert spyware infecting many of my 500+ workstations.
What do they (Malwarebytes) know that Symantec does not?  Please help me to understand.   

Distributed SEP definitions are current: Monday, February 08, 2010 r48
Client version is 11.0.3001.2224

Please read this KB - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000100610314948

Check your security settings -

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

I recommned you upgrade off 11 MR3,  that is an old build. SEP 11 MR5 is the latest build available.

Cheers,
Thomas

Do read this discussion
 https://www-secure.symantec.com/connect/forums/sep-and-fakeav-rogueware

I don't think MBAM is a enterprise product..you can compare it with Norton not SEP.

Title: 'Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not'
Document ID: 2000100610314948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000100610314948?Open&seg=ent

Interesting enough.......... I had several computers get "infected" this past couple of weeks. In each case, MBAM and TR were needed to clean them.
I ran TR (SimplySuperSoftware's Trojan Remover) and in some cases, it caught the little beasties. In other cases, it did not.
In some cases, MBAM caught the little beasties, in other cases it did not and TR did. In each case, I rescanned with SEP a day later, and SEP caught things both the other products missed (AFTER it got new defs - I'd submitted the files found by TR and MBAM and new defs were created).
I guess that showed me a couple of things - no one product gets them all, and
SEP is great at traditional risks, but the phony AV apps are so new so constantly, and get in using means simply not checked by SEP, and using tactics not checked by SEP.
In one case, MBAM caught something simply because of HOW it loaded in the registry - no other reason.
I've seen TR do the same - so they are looking for or at different things, IMO.
So I use SEPs application control rules to take care of these risks that come in through new, non-traditional means.
Rather funny, my own notebook let in one of those things WILE it was running MBAM in checking mode! MBAM was fully installed and updated, yet another phony AV app got in while I visited an automotive forum............. probably via a flash ad or something. SEP flagged it, and I removed it manually.

Go ahead and buy 5 licenses of MalwareBytes, and remove SEP from them.

I can promise you that SEP will detect more and prevent more infections than Malwarebyytes on a day to day basis.  What SEP doesnt fix, malwarebytes seems to do pretty well.  

If you still think a single product (whether it's SEP, MBAM, whatever) is all you need for protection, you WILL still get infections regardless of product in question.

After reading all the recommended articles above and the link to the other forum post complaining about SEP missing what MBytes finds -  I'm still not buying it.  If the primary means to defeat malware/spyware/viruses etc. is signature submission how do explain the disparity of a small organization like Malwarebytes beating Symantec to the punch for Rogue AV malware every time!  Symantec must receive rogue AV signature submissions in orders of magnitude greater than what Malwarebytes does.  In fact I can't remember seeing a way to submit a signature in the free version of Malwarebytes.

If rogue AV malware comprised 10% of my client security issues, then sure, I would probably find SEP a satisfatory AV/AS solution.  Sadly, rogue AV malware comprises about 95% of my client security issues.  So telling me how good SEP is at everything else isn't helping.  You're not addressing the issue. 

I too used to be of the mind that it took more than the enterprise AV to defeat the amazingly clever malware creators.  HiJackThis, with AdAware and Defender in concert were often not enough.   However, recently, with a increasing numbers of rogue AV malware infections that slip right past my SEP clients, and then remain undetected, I find Malwarebytes is the only antidote.  I would love to report that SEP detected and prevented half of my rogue AV infections, or even a third,  but so far not only has it failed to detect thus prevent any of them, it fails to remove them as well.   Rogue AV malware is not new.  It's been around for more than a year at least. 

I'm certain Malwarebytes sucks at every other kind of client security but they've got a handle on this rogue AV malware and that is what's ailing us right now. 

"What SEP doesnt fix, malwarebytes seems to do pretty well."   Perhaps Symantec could pull a Microsoft and swallow up Malwarebytes...what's a few 100 million or so?

 Well..As for solution is concerned I would say prevention is better than cure.
Look at this article from ShadowsPapa
https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers

https://www-secure.symantec.com/connect/forums/score-one-my-app-control

https://www-secure.symantec.com/connect/forums/best-practices-dealing-threat-outbreak-when-using-symantec-endpoint-protection

I will admit, we've purchased a few licenses of MB just to help clean up student machines and as a second check when the IDS alerts and SEP and a manual glance of the machine don't find anything.  I think MB is intended to complement an A/V product, not to replace it.

 Trend Micro owns them last I checked.  

No one AV product is going to be the end all be all savior. Fact is, using both SEP and Mbam is a pretty good combo.  I've had issues with rogueware in the past as well. I would use Mbam to track it down, send a sample to Symantec and clean the machine. Symantec wrote new defs and case closed. Because there are so many variants of rogueware, it's impossible to have defs for every one. I've seen Mbam miss things that SEP got.

Out of the box, SEP may not work perfectly for you. I certainly had to configure it to fit my needs and are always testing and making tweaks. And from what I've heard from users of other competing enterprise AV products, the same problems exist. Relying strictly on AV is not a good thing, I would recommend using another anti-malware product to complement SEP

I'll bite. On-access detection of SEP is nowhere near as good as MBAM's in both signature-based and especially in heuristics-based engines. When it comes to real 0-day stuff, then it;s not even a fair fight. I personally don't like MBAM's on-access due to high CPU load, so we keep SEP for on-access since it's already paid for. For on-demand we use Hitman Pro: it has 7 A/V engines and extremely advanced heuristics engine, and it picks up everything that SEP (and MBAM) let through. It is also extremely fast, so we schedule silent scans to run every 2-4 hours and users don't even notice anything. Lastly, Hitman was the first product on the market to detect AND remove all the latest TDL/TDSS variants, many of fake A/Vs are now based on or using as a launching pad.
My $0.02.

I appreciate the helpful comments and article referrals.   I'd like to say that I feel better now.  But I don't.  Just for the record I've never asserted that MBAM is a superior product to SEP only that I'm disappointed in SEPs inablility to handle our current innundation with "rogueware".   I'm not, as you may have guessed, a full time security professional, I wear many IT hats for a non-profit so stuff that works right-out-of-the-box is appealing to me.  

I'm going to utilize the article that you sent me Vikram, about setting up me SEP clients to protect them against rogue browser-helpers.  If this saves me from just a couple of rogue AV infections it will be worth the time.

I may be wrong but it's gotta be killing Symantec that MBAM is detecting and removing "rogueware" right outta the box.  If it's not killing them, it should be.

Thanks again, everyone.  Now that I vented, I do feel better.

Mobiustrip, SEP is worthless against scareware and believe me, we all share your pain. [post edited by admin]

This is an issue I deal with every few weeks and although I only find it mildly frustrating, I find it more upsetting the defensive posture of others in defense of SEP.
I use SEP in my enterprise because frankly it's the best out there for all it provides.  I'm sure others use different products or combinations, and I would like to see a better competitor, I just don't see one. 
Even with the 12/31/2009 issue, and the threats of moving away from Symantec, I'll bet most people don't.  A discount to Vision would have been nice though for vendor relations ;)
Everytime we have a 'fake AV' infection Malwarebyes is the first we turn too.  I've recommended it for family and friends as well when their products are not effective.  But we use it as a one time only removal tool.  Day 2 day protection is still SEP.

Just my thoughts...glad you feel better.

I've read this article and one thing it does not do is explain why other AV solutions detect what SEP does not.   It spends much of the time telling us why Symantec is finding it hard to nail down this particular brand of malware, (for the record I sympathize with Symantec).  

Question/Issue:
You use a currently supported version of Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) with the most recent virus definitions. A competitor's antivirus program detects a virus, SEP or SAV does not detect a virus. You want to know why.

(My comment: Yes!)

Solution:
Here are some of the ways that a threat may infect a system and not be detected by an installed antivirus:

(My comment: This does not explain the question above.  If this were a paper in argumentation you would get an F.)
 

 The answer is very simple ( but debatable )
You use MBAM or say any 3rd party AV only when SEP doesn't detect things.
So many a times MBAM detects it. It can be other way out aswell, where SEP would detect it and MBAM won't.

Whenever SEP doesn't detect a Threat the very first thing you should do is scan it with RapidRelease Defiitions (ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/)
If still it doesn't get detected then you can say yes SEPdoesn't detect it.

I have seen many comparison for SEP and other AVs but haven't seen proper comparision.

Where one has both AV's on the system then he compares which one is detecting more.

No Offence..I would still agree MBAM detects more Rouge AV but I will also say Symantec knows about it and is working on it.

I think everybody here is smart enough to know that no single product will offer 100% protection all the time. My biggest gripe with this topic is these rogue security programs have been around forever and are so blatent, so in your face, so obvious, I can't believe SEP can't prevent them or even detect them once installed. We're not talking about sneaky rootkits or some sophisitcated new threat here. These programs are very easy to spot once installed and only have a few registry entiries associated with them as well. Personal Security for example:

c:\Program Files\PSecurity
c:\Program Files\PSecurity\psecurity.exe
C:\Program Files\PersonalSec
C:\Program Files\PersonalSec\psecurity.exe
c:\Program Files\Common Files\PSecurityUninstall
c:\Program Files\Common Files\PSecurityUninstall\Uninstall.lnk
c:\WINDOWS\system32\win32extension.dll
c:\Documents and Settings\All Users\Start Menu\PSecurity
c:\Documents and Settings\All Users\Start Menu\PSecurity\Computer Scan.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Help.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Personal Security.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Registration.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Security Center.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Settings.lnk
c:\Documents and Settings\All Users\Start Menu\PSecurity\Update.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PSecurity.lnk
%UserProfile%\Desktop\Personal Security.lnk

 Fake Antivirus is a underground business. Do you think they are so dumb that they will create few files then hack a website and put it online.
How many will it infect 10-100 or say 1000. But after that it will be detected by any antivirus and the creators are out of business.

But it doesn't work that way.

Virus is not categorized by File Names or Locations. But the hash value of the file is actually detected by any Antivirus.

These fake antivirus coders writes hundred as these with same file name sometimes different but almost same. However they keep on adding/Removing functionality of the rougeware.
Don't think only we have access to Virustotal or ThreatExpert. they also do a check it if their files are getting detected or not if detected they change the code hence it changes the hash value.

They don't bother if Malwarebytes or CC Cleaner of so called small Av's are detecting their files.
They make sure the bigger names are not detecting it the likes of Symantec, Trend, Mcafee etc. So that they can have a Max affect.

Its a bad bad world filled with many bad bad people. Thanks to Symantec ( and also other AV vendors ) who give us Confidence in the Connected ( internet) world. If they don't detect today , tommorow or day after they will definitely detect it.

Its also our duty to submit the Suspicious files to our AV vendor no matter who ever it is. Otherwise at the end of the day its us the users who are going to suffer with the infection.

" Thanks to Symantec ( and also other AV vendors ) who give us Confidence in the Connected ( internet) world. If they don't detect today , tommorow or day after they will definitely detect it."

Sorry, that's not true in Symantec's case. Symantec never detects it. Why do you think we're all so pissed off?

I won't argue on that..as it won't lead us to a solution. 

Wow, there's a new one I've not seen, or maybe an old one.
Most of what I've found has a running process called AV.EXE
They also come in via a file named setupxxxxxxx.exe where xxxxx can be several things - they come into the web cache and are launched from there.
They also come as JAR files, and JAVA updates!
So I block EXE in the web cache named setup*.exe
A pain if someone needs something legit but I either make an exception in my rules, or move the PC to a different group, let them do their thing, then move it back.

If TREND indeed owns them, I'd sure hope that Trend could do better than that lame GODADDY!! as a host! Wow.
Godaddy operates on the cheap using low-rent servers that won't even support our car forums.

Domain ID:D107691210-LROR
Domain Name:MALWAREBYTES.ORG
Created On:04-Oct-2005 01:27:55 UTC
Last Updated On:06-Dec-2009 09:16:43 UTC
Expiration Date:04-Oct-2010 01:27:55 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR32769942
Registrant Name:Marcin Kleczynski
Registrant Organization:Malwarebytes Corporation
Registrant Street1:356 Piercy Rd.
Registrant Street2:
Registrant Street3:
Registrant City:San Jose
Registrant State/Province:California
Registrant Postal Code:95138
Registrant Country:US
Registrant Phone:+1.4088524336
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:CR32769944
Admin Name:Marcin Kleczynski
Admin Organization:Malwarebytes Corporation
Admin Street1:356 Piercy Rd.
Admin Street2:
Admin Street3:
Admin City:San Jose
Admin State/Province:California
Admin Postal Code:95138
Admin Country:US
Admin Phone:+1.4088524336
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Tech ID:CR32769943
Tech Name:Marcin Kleczynski
Tech Organization:Malwarebytes Corporation
Tech Street1:356 Piercy Rd.
Tech Street2:
Tech Street3:
Tech City:San Jose
Tech State/Province:California
Tech Postal Code:95138
Tech Country:US
Tech Phone:+1.4088524336
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS1.MALWAREBYTES.ORG
Name Server:NS2.MALWAREBYTES.ORG
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
DNSSEC:Unsigned

OK, let's put your solution into practice.   SEP patched as of yesterday missed another Scareware infection.

How do I use the FTP site?  That is, which folder and which file do I employ?
  We're using SEP Version 11.0.3001.2224

I will post my results

Download and run the symrapidreleasedefsv5i32.exe from 3rd folder in the directory as it keeps getting updated/added every hour

OK!  Nice pipe on the FTP server....nearly 2.0MB/sec. Downloaded the 59Mb file in 14 seconds.   Do I have to Enable Third Party content management in my Live Update Policy?

 If you want it to update all the Clients then use the.JDB file over there
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048

I believe Malwarebytes free for personal use, but too lazy to go and check.

That is correct.

I just used Mbam to disable yet another trojan, this time on my own machine.  It triggered when  this morning after a visit to microsofts technet website, where I was looking for information on why windows 7 network adapters go to sleep and forget where they are.  Who would have thunk it?
It's the same old security center program I've killed too many times here on other peoples machines.  I'm on SEP version 11.0.5002.333 which I just spent a pretty penny for a month ago for our small company.  I hadn't had an outbreak since I updated to that until this morning.  The net effect of the program is the same, disables your browser by going proxy server, disables the task manager, sends the browser to porno.com and adult.com and all the same places.  I had to download the latest version of MBAM as the old version on my flash drive wasn't able to go.  The bad guys are paying attention to MBAM as well.  At one time I had the screen showing all 200,000 files scanned, no problems detected screen up with all of the popups all over my screen.  SEP needs to work on the fact the net effect of these trojans is almost identical. 

To Vikram Kumar-SAV to SEP: I don't buy for one bit that Symantec's poor detection has anything to do with being a larger target. I routinely submit missed detections to Symantec that are 30/40 or higher on Virus Total, with all big guys (excluding Symantec) detecting it just fine. It also takes FOREVER for Symantec to analyze the malicious file and issue the signature for it, probably by that time malware is changed enough to be missed by it completely. 
Interestingly enough, Symantec's home-use product -- Norton Internet Security 2010 -- has significantly better detection in all of the tests, and I think this is the route SEP needs to follow. Where's advanced heuristics that works? Where's cloud-based scanning? Where's file and URL reputation service that is long present almost everywhere else? Enough with "head in the sand" approach.

For all of you battling with rogues, I may sound like a broken record, but try Hitman Pro. They just released new version that you can run in "Force Breach" mode -- you hold down Ctrl key when as you double-click on EXE and even though NOTHING is allowed to run on the machine, Hitman will launch, kill all non-essential processes in memory, including those running in user context, and will scan your machine and clean it. Here's a video that actually show it in action: http://www.youtube.com/watch?v=m6eRWTv2STk
That, and the fact that this is the only commercial solution that can detect AND remove all versions of TDL3/TDSS rootkit (including 3.241 variant) that these rogues are using as a lunching pad, is enough for me to highly recommend it.

 You might have seen that couple of times..Thats a exception which can happen with any other AV vendor even with your Hitman Pro ( unless it itself doesn't create them )...If Symantec would have been so bad nobody would use it..which is not the case.

And anyways this thread is not about who is good and who is bad but more on how to find a solution and how to prevent it with what we have in hand.

Hi Vikram,
I've seen what I've described more than few times, unfortunately, this is why I mention it here. I'm not doing it because I feel like bashing Symantec; I spent countless hours with our rep discussing the shortcomings of the product and suggesting improvements that would've made it better -- this was mostly ignored from what it seems, because I see very little improvement in what the product's main job: detect and remove malware. Symantec's case is lost with us, we are looking at other products and I am in the middle of doing a demo deployment of Symantec's two direct competitors and can say that detection-wise, both are head and shoulders above what SEP has to offer. As far as Symantec not being so bad or no one would've used it, our company excluded, I know of three other companies with tens of thousands users that have recently switched from SEP to a competitor for the same reasons as we are.
My post about Hitman is directly related to removal of the threat. If SEP is unable to do it, I think it's only fair to the original poster to provide him with a suggestion of what does. I have no special interest in Hitman and it's not "my" product; I am just a happy user of a product that does what it says it will, and I am merely passing the experience along.

Dimitri

 Hi Dimitri,

I understand your concern.But its not that Symantec doesn't know this and is not working on it.I agree SEP has a few shortcomings when it comes to Rougewares as compared Malwarebytes ( I havent tested hitman pro so I cannot comment ). But i have also seen either none symantec or MBAM detecting or Symantec detecting MBAM not detecting. Yes you can say for a troubleshooting purpose we can use MBAM ( or Hitman Pro ) but its not a solution at the end of the day if you don't submit you can get re-infected. Changing the product is definitely not a solution All AV vendors are suffering, in your testing the initials results might have been good but go to their forums ( if they have one ) you'll find similar discussions there as well..So you might ( might not ) end up switching to yet another product or might feel if it was this way I would have better stuck with SEP.
These are my views, I don't want to offend anybody but just want to keep the discussion up and up rather than going into any kind of debate/discussion between good,bad and ugly.